Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maarten87
New Contributor III

FortiClient compliant but no access to data

Hi All,

 

Not sure if this is the correct place to ask, but i hope someone might be able to assist.

In our current configuration, we are using Forticlient 6.0.3. They connect to a FortiGate 61E using SSL VPN.

Some of our users are getting issues, that when they are working from home, they cannot access our company's network.

We have multiple people with the same problem.

 

Below is one of many issues we are facing at the moment:

Person is in the office. Connects to our WIFI, which is not part of our internal network. Connects SSL VPN and is compliant. Can access our internal network.

 

Person is at home. Connects to their home WIFI, which is not part of our internal network. Connects via SSL VPN and is compliant. Can not access our internal network.

 

We are also facing below issue:

Person is at home. Connects to their home WIFI, which is not part of our internal network. Connects via SSL VPN and is compliant according to the client and the admin portal from Fortigate. Can not access our internal network.

If i start a internet browser on above client, it states that it is not compliant and that it has detected Forticlient version "0.0.0".

 

Hope someone is able to assist, as this it pretty critical. Makes working from home impossible.

1 Solution
Maarten87
New Contributor III

This has been resolved for us when we updated FortiOs to version 6.0.6

According to support:

Please be informed that I have found a well known issue on Fortigate known issue number: 0521645 that is related to traffic over sslvpn with compliance enabled. This issue is already resolved in FortiOS versions 6.0.5 and 6.2.1.

View solution in original post

17 REPLIES 17
SteveG
Contributor III

We don't use the Compliance feature but the SSL VPN is rock solid for us. Whether that's using FortiClient or one of the Linux SSL VPN clients. What version of code is the FortiGate running?

Maarten87
New Contributor III

Hi,

FortiGate is running on FortiOs version: FortiOS v5.6.8 build1672 (GA)

it is very strange as, some users(not all) reported that the next day for example, it is working again from home.

 

Yesterday i had a colleague who was working from home. good WIFI signal. Started VPN and made connection, everything went fine. FortiClient showed he was compliant. I checked Fortigate admin panel - under Forticlient Monitor and it showed he was compliant. I open a browser and the forticlient page pops up stating that it is not compliant because it detected version 0.0.0. We have it set so people need to have version 6.0.2. This person has version 6.0.3 so it should work. He also tried this through hotspot via phone. Same story.

In the end i couldn't fix the VPN issue......

 

Today, i am checking this same user, and he is working fine through VPN today. No changes have been made on either our side or the user's side.

SteveG

Sounds like a compatibility issue between FortiGate OS and the FortiClient version. I'll see if there's a compatibility chart somewhere.

SteveG
Contributor III

Apologies if I'm suggesting stuff you've already done but is Compliance via SSL VPN actually enabled on the FortiGate?

 

To enable endpoint registration on the SSL-VPN
Go to  SSL-VPN Settings > VPN > SSL-VPN Settings.In Tunnel Mode Client Settings, make sure Allow Endpoint Registration is enabled.Select Apply.Go to  Interfaces > Network > Interfaces and edit the ssl.root interface.In Admission Control, enable FortiTelemetry. Optionally, you can also enable Enforce FortiClient Telemetry for all FortiClients. This forces endpoints to register with FortiClient before they have network access.Select OK.[/ol]

This procedure does not include all settings needed to configure a working SSL-VPN.

Maarten87
New Contributor III

Hi Steve,

This is all configured properly. Just checked. We do have people who connect fine and stay connected for a longer time. On the other hand, we also have people who can't connect with previously stated issues.

To note. Everyone is running FortiClient 6.0.3 as it is deployed to them.

SteveG

Incidentally we had some web filtering related issues that were introduced in 6.0.3 which were fixed in 6.0.5 and we don't even use web filtering! Perhaps give 6.0.5 a try on a test machine. There is also a critical vuln in 6.0.3 that's fixed in .5

Maarten87
New Contributor III

Hi Steve,

 

Since the crit vuln. is fixed in 0.5, it will be good for us to update all the clients. I did test 0.5 for these specific issues already though. For one user it did solve it, for the other user it didn't. The user where the update did not fix the issue, came in the office the next day, stating that the vpn worked in the evening from home. I updated it in the morning.

Its really difficult to identify the issue, as clients with problems one day, work the other day and decide to not work the day after again. on the other hand, some clients have no issues at all. I will test FortiClient 6.0.5 though and see if this one gives more stability.

SteveG

You seeing this on both MacOS and Windows?

Maarten87
New Contributor III

Currently we have no MacOS devices where the FortiClient is installed on.

All our devices are HP Laptops running Windows 7 Professional 64 Bit. We do have around 4 to 5 machines running on Windows 10 Pro 64 bit.

Labels
Top Kudoed Authors